Author Message

Fossegrimen

Rank 0
Joined
25 Sep 2008
Posts
3
Location
A wee little place Norway
PostedApr 21, 2013 3:16 pm

Unreasonable request from Aeria

Input from Billing would be greatly appreciated
I had my main Shaiya account locked today due to AP security reasons (I assume).

I received an email from Billing where they thanked me for purchasing AP yesterday, but telling me that they were wondering if I was really me, as my account email did not match the email I purchase AP from, and that to avoid issues in the future, I should make sure these match.

I will hereby claim that this request is not just unreasonable, it is even downright rude. Why?

Here's why.

1 - Because of the frail safety of the accounts database, our accounts are constantly being attempted compromised and AP drained from them. Every time this happens, we are required to make new email addresses to associate our Aeria accounts with. Switching back to the previous email would be a bad idea, as it could be compromised for all we know.

2 - No one half sane would ever use the same email address they use for their online payment service as the email address they associate with their AP purchasing account on Aeria. Why? See reason 1.

3 - Because of 1 and 2, requesting us to use the same email address for our online payment services and our Aeria accounts is unreasonable and even rude. It is Aeria's lack of safety that causes this to be, not our precautions to avoid Aeria's lack of safety affecting our payment services.

I have sent a ticket to have my account restored to me, and I wholly expect to see it done promptly (not to mention because I sent a ticket about the account being drained of AP BEFORE it was locked and me immediately changing the password). And I also expect Aeria to stop making ridiculous requests of its customers. If not, the Customers Relations Team will have me calling on them.

Yours,

billdoor


Edit: I am now informed that other players in the same situation who previously have pointed out the above in extensio in tickets to Aeria have been told to stop belabouring the point as further input on the subject would be considered spam. These players had to stop buying AP as they would not have their accounts restored to them if they did not make sure their billing and account emails matched.

This is unreasonable in the extreme. It is OUR money you are asking us to risk, Aeria. Wasn't mystery boxes bad enough? You want us to willingly expose our online payment accounts to risk for your sake?

We use DIFFERENT emails for different purposes for VERY good reasons, something Billing at Aeria seems to fail to grasp. And yet, we are being called on at every opportunity to make sure our accounts stay safe.

Something is not adding up.
Advertisement

billdoor

Rank 5.1
billdoor
Joined
05 Aug 2008
Posts
6422
Location
Foldereid Norway
PostedApr 21, 2013 5:08 pm
Double post.

My account has now been restored to me (minus the missing AP, but I guess that will be taken care of). I appreciate the prompt response and restoration by the Aeria staff.

That said, the above policy of requiring email addresses of our payment services and our gaming accounts needs addressing and reviewing. Our money is too important to us for us to expose them to unnecessary risk. Which it seems Aeria requires us to do.

SeasonsEnd/MadManMoon/Uigeadail - retired from Shaiya as of May 10th 2014.

Fossegrimen

Rank 0
Joined
25 Sep 2008
Posts
3
Location
A wee little place Norway
PostedApr 21, 2013 5:31 pm
Are you freaking kidding me?

Now you locked my account again within 30 minutes of restoring it to me?

Flaming, hopping mad,

billdoor

billdoor

Rank 5.1
billdoor
Joined
05 Aug 2008
Posts
6422
Location
Foldereid Norway
PostedApr 21, 2013 7:03 pm
Back in business again...who knows for how long...

SeasonsEnd/MadManMoon/Uigeadail - retired from Shaiya as of May 10th 2014.

skull12580

Rank 5.1
skull12580
Joined
24 Nov 2006
Posts
7170
Location
On the planet consumed by greed. United States
PostedApr 21, 2013 7:08 pm
Sorry to hear about all the trouble regarding this. It seems like a silly thing to have problems over... Best of luck figuring it out and keeping the account.

Superman0X

GameMaster: USA
Superman0X
Joined
11 Jun 2007
Posts
12163
Location
San Jose United States
PostedApr 21, 2013 7:26 pm
I am not sure I am understanding your points:

1. If your Aeria Account is compromised, the email attached to the account is not (unless you use the same username/password, in which case that is the issue, not the Aeria Account compromise)

2. If you Email Account is compromised, the Aeria Account attached to that email is also compromised, as they can just reset the password using the email account.

3. If your Email Account is compromised, and it is attached to your payment method (like paypal), then that is compromised as well (again, they can use the email to compromised the payment method).

4. If your Aeria Account is not associated with your Payment Account Email, then it will be more difficult to detect changes if compromised. It also makes it more difficult to authenticate the user after the compromise.

There does not appear to be any good reason not to associate your billing email, with your account... as this is what we are going to go too if something goes wrong.

consider.ez

Rank 4
consider.ez
Joined
12 Jun 2008
Posts
2683
Location
Liberec Czech Republic
PostedApr 21, 2013 10:14 pm
Superman0X wrote:
I am not sure I am understanding your points:

1. If your Aeria Account is compromised, the email attached to the account is not (unless you use the same username/password, in which case that is the issue, not the Aeria Account compromise)

2. If you Email Account is compromised, the Aeria Account attached to that email is also compromised, as they can just reset the password using the email account.

3. If your Email Account is compromised, and it is attached to your payment method (like paypal), then that is compromised as well (again, they can use the email to compromised the payment method).

4. If your Aeria Account is not associated with your Payment Account Email, then it will be more difficult to detect changes if compromised. It also makes it more difficult to authenticate the user after the compromise.

There does not appear to be any good reason not to associate your billing email, with your account... as this is what we are going to go too if something goes wrong.  

Uh huh.
If Aeria believes the account is compromised, they ask for changing the email.
From that point the Aeria account email will not be associated to the billing email.
Simple enough?

The point is, what's a better reason not to associate my billing email with my account, than the fact I don't want 2) + 3) to happen simultaneously? Shocked

Superman0X

GameMaster: USA
Superman0X
Joined
11 Jun 2007
Posts
12163
Location
San Jose United States
PostedApr 21, 2013 10:46 pm
consider.ez wrote:


Uh huh.
If Aeria believes the account is compromised, they ask for changing the email.
From that point the Aeria account email will not be associated to the billing email.
Simple enough?

The point is, what's a better reason not to associate my billing email with my account, than the fact I don't want 2) + 3) to happen simultaneously? Shocked  


If the account is compromised, we will ask for verification from the billing email.
If the billing email states the account is compromised, we will turn over control of the account to that email.

So, basically, if they get control of your billing email, they have control of your account...
If you dont have the billing email on the account, you are less likely to get control back.

Mandatar

Rank 5
Mandatar
Joined
11 Apr 2009
Posts
3572
Location
Netherlands
PostedApr 22, 2013 12:42 am
Superman0X wrote:

If the account is compromised, we will ask for verification from the billing email.
If the billing email states the account is compromised, we will turn over control of the account to that email.

So, basically, if they get control of your billing email, they have control of your account...
If you dont have the billing email on the account, you are less likely to get control back.  


Billdoor was asked to change his account email so that it would match his billing email. If the Aeria account would be compromised (which sadly enough is not unreasonable to assume), there is a great risk for social engineering hackers to attempt access to the billing email account. I work in the IT business and social engineering is something I run into on a weekly basis.

http://en.wikipedia.org/wiki/Social_engineering_%28security%29

I agree with Billdoor that this is a very undesirable request from billing, in fact your defence for the policy makes me afraid that AGE doesn't have the proper focus on account security at all. Billdoor has a genuine concern and asked a very valid question.

Mandatar (80), Scrooge (30), Someshta (30), Azeal (15), Kierin (65)

Superman0X

GameMaster: USA
Superman0X
Joined
11 Jun 2007
Posts
12163
Location
San Jose United States
PostedApr 22, 2013 6:47 am
Mandatar wrote:
Superman0X wrote:

If the account is compromised, we will ask for verification from the billing email.
If the billing email states the account is compromised, we will turn over control of the account to that email.

So, basically, if they get control of your billing email, they have control of your account...
If you dont have the billing email on the account, you are less likely to get control back.  


Billdoor was asked to change his account email so that it would match his billing email. If the Aeria account would be compromised (which sadly enough is not unreasonable to assume), there is a great risk for social engineering hackers to attempt access to the billing email account. I work in the IT business and social engineering is something I run into on a weekly basis.

http://en.wikipedia.org/wiki/Social_engineering_%28security%29

I agree with Billdoor that this is a very undesirable request from billing, in fact your defence for the policy makes me afraid that AGE doesn't have the proper focus on account security at all. Billdoor has a genuine concern and asked a very valid question.  


We are just telling our players what is actually established as the best practices. You can chose to follow them or not.... but they are best practices for a reason. In fact, you contact an email based payment system (Paypal, Google, Moneybookers, etc) and ask them, they will in fact tell you that this is what THEY recommend as well.

Display posts from previous:   Sort by: